Closed Bug 1053683 Opened 10 years ago Closed 10 years ago

Crash [@ js::irregexp::ActionNode::FillInBMInfo]

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla34
Tracking Status
firefox31 --- unaffected
firefox32 --- fixed
firefox33 --- fixed
firefox34 --- fixed
firefox-esr24 --- unaffected
firefox-esr31 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- fixed
b2g-v2.1 --- fixed

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

Attached file debug and opt stacks
RegExp("(||(w{2147483648}){4})*1").test()

crashes js debug and opt shells on m-c changeset d7e78f0c1465 with --ion-eager --ion-offthread-compile=off --no-threads at js::irregexp::ActionNode::FillInBMInfo

My configure flags are: (debug)

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-nspr-build

Opt:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-nspr-build

Guessing this is related to irregexp, so setting needinfo? from Brian. Setting s-s and guessing sec-high as a start.
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
This is a simple overrecursion --- FillInBMInfo implementations freely recurse into each other with no stack checks.  I'm not sure how v8 avoids the need for overrecursion checks in this case, but it seems better to make these checks explicit.
Assignee: nobody → bhackett1024
Attachment #8473111 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Attachment #8473111 - Flags: review?(jdemooij) → review+
Crash Signature: [@ js::irregexp::ActionNode::FillInBMInfo]
Comment on attachment 8473111 [details] [diff] [review]
patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Not exploitable --- overrecursion crash.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

The problem is kind of obvious from the patch.

Which older supported branches are affected by this flaw?

32+

If not all supported branches, which bug introduced the flaw?

bug 976446

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

trivial

How likely is this patch to cause regressions; how much testing does it need?

none

Approval Request Comment
[Feature/regressing bug #]: bug 976446
[User impact if declined]: potential non-exploitable crash
[Describe test coverage new/current, TBPL]: none
[Risks and why]: none
Attachment #8473111 - Flags: sec-approval?
Attachment #8473111 - Flags: approval-mozilla-beta?
Attachment #8473111 - Flags: approval-mozilla-aurora?
Group: core-security, javascript-core-security
Keywords: sec-high
Attachment #8473111 - Flags: sec-approval?
Attachment #8473111 - Flags: approval-mozilla-beta?
Attachment #8473111 - Flags: approval-mozilla-beta+
Attachment #8473111 - Flags: approval-mozilla-aurora?
Attachment #8473111 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/e826a3acc243
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: